Internet Access from Inside to Outside ASA 5510 ver 9.1

Similar Messages

• Access from Inside to Outside ASA 5510 ver 9.1

  Hi All,
  I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
  Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
  I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
  Thank you for the help!
  ASA5510(config)# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.195.168.100 255.255.255.240
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 0
  no ip address
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.195.168.4
  name-server 205.171.2.65
  name-server 205.171.3.65
  domain-name internal.int
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  router rip
  network 10.0.0.0
  network 199.195.168.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  CISCO 2811:
  Current configuration : 2601 bytes
  ! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  hostname RouterDeMitch
  boot-start-marker
  boot system flash
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/0
  no aaa new-model
  dot11 syslog
  ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 172.16.10.1 172.16.10.49
  ip dhcp excluded-address 172.16.20.1 172.16.20.49
  ip dhcp pool Mitchs_Network
  network 192.168.1.0 255.255.255.0
  dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
    default-router 192.168.1.1
  ip dhcp pool VLAN10
  network 172.16.10.0 255.255.255.0
  default-router 172.16.10.1
  dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
  ip dhcp pool VLAN20
  network 172.16.20.0 255.255.255.0
    dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
  default-router 172.16.20.1
  no ip domain lookup
  ip name-server 199.195.168.4
  ip name-server 205.171.2.65
  ip name-server 205.171.3.65
  ip name-server 8.8.8.8
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  redundancy
  interface FastEthernet0/0
  description CONNECTION TO INSIDE INT. OF ASA
  ip address 10.10.1.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
    duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/1.1
  encapsulation dot1Q 10
    ip address 172.16.10.1 255.255.255.0
  interface FastEthernet0/1.2
  encapsulation dot1Q 20
  ip address 172.16.20.1 255.255.255.0
  interface FastEthernet0/1.3
  description Trunk Interface VLAN 1
  encapsulation dot1Q 1 native
    ip address 192.168.1.1 255.255.255.0
  interface Dialer0
  no ip address
  router rip
  version 2
  network 172.16.0.0
  network 192.168.1.0
  network 199.195.168.0
  no auto-summary
  ip default-gateway 10.10.1.1
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 1 interface FastEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
  access-list 1 permit any
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  exec-timeout 0 0
  password encrypted
  login
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  transport input all
  scheduler allocate 20000 1000
  end

  I made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd liqhNWIOSfzvir2g encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.195.168.123 255.255.255.240
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 0
  no ip address
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.195.168.4
  name-server 205.171.2.65
  name-server 205.171.3.65
  domain-name internal.int
  object-group network PAT-SOURCE
  network-object 172.16.10.0 255.255.255.0
  network-object 172.16.20.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  network-object 10.10.1.0 255.255.255.252
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
  router rip
  network 10.0.0.0
  network 199.195.168.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  Message was edited by: Mitchell Tuckness

• ASA access from inside to outside interface

  Hi
  We need to make acces on our ASA device from inside network to outside interface.
  The situation is next:
  We have public external ip address and we need to access it from our inside network.
  Can you please tell me if it is possible to do this?
  Thank you.

  That's right, the solution is named Hairpinning aka U-turn.
  The dynamic rule was the one suggested in my first reply:
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface              *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
  global (inside) 1* interface           *Assume you are using number one

• How to allow some fixed extension go in from outside to inside but not allow go from inside to outside

  how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
  for example, allow JPEG, MOV, AVI data flow from outside to inside
  but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
  how to configure?

  Hi,
  The ZBF link sent earlier show how we can inspect URI in http request
  parameter-map type regex uri_regex_cm
     pattern “.*cmd.exe”
  class-map type inspect http uri_check_cm
     match request uri regex uri_regex_cm
  ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
  Thanks

• I HAVE AN IPAD 2 WITH WIFI ONLY, CAN I GET INTERNET ACCESS FROM ANY SMARTPHONE, OR DO I NEED A SPECIFIC PHONE FOR THIS?

  i ave an ipad 2 with wifi only, can i get internet access from any cell phone, or do i need a specific phone or type of phone

  I received an iPad 2 for Christmas (the 1st Apple item I've ever owned!) and own a Nokia N95 8GB mobile (that's pretty much on its last legs/ready to die any day).
  On the Nokia I've got 2 apps (downloaded from/via Nokia's 'Ovi' app store): JoikuSpot & HandyWi. Both are the free versions.
  I've not used HandyWi much - if at all - but JoikuSpot has been great. Basically, it creates a wifi hotspot (as pjl123 mentioned) in a couple of straightforward steps, and allows a few devices to be connected. It displays who/what is connected at a given time - so you can check if the guy having coffee behind you is piggybacking your hotspot or not! - data packets sent received etc.
  The paid version has the benefit of allowing you to secure the hotspot and other security features.  Their website is www.joiku.com, FYI.
  Given how slow behind the 8 ball Nokia has been, their phones are getting cheaper and cheaper - given Joiku's meant to work with Nokia S60, Symbian ^3, Maemo, Meego & Sony Ericsson S60, this might be a cost effective option.
  Ps. Ah! One more thing - Joiku's website specifies that 3G must be used; that WAP will not work. Good luck, enjoy!

• ASA 5510 traffic from inside to outside

  Hello,
  I'm working on a basic configuration of a 5510 ASA.
  inside network of 192.168.23.0 /24
  outside network 141.0.x.0 /24
  config is as follows:
  interface Ethernet0/0
   nameif OUTSIDE
   security-level 0
   ip address 141.0.x.0 255.255.255.0
  interface Ethernet0/1
   nameif INSIDE
   security-level 50
   ip address 192.168.23.1 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list OUTSIDE_access_in extended permit icmp any any
  access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
  access-list INSIDE_access_in extended permit icmp any any
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 192.168.23.0 255.255.255.0
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
  In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
  I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
  So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
  Any ideas please?

  Version of FW:
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.3(1)
  Output of Packet-Trace Command is:
  SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   141.0.x.0      255.255.255.0   OUTSIDE
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group INSIDE_access_in in interface INSIDE
  access-list INSIDE_access_in extended permit icmp any any
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
   match default-inspection-traffic
  policy-map global_policy
   class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 104, untranslate_hits = 0
  Additional Information:
  Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (INSIDE) 0 192.168.23.0 255.255.255.0
    match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
      identity NAT translation, pool 0
      translate_hits = 107, untranslate_hits = 0
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 141, packet dispatched to next module
  Result:
  input-interface: INSIDE
  input-status: up
  input-line-status: up
  output-interface: OUTSIDE
  output-status: up
  output-line-status: up
  Action: allow

• Permit traffic from Inside to Outside, but not Inside to medium security interface

  Can someone just clarify the following. Assume ASA with interfaces as :
  inside (100)   (private ip range 1)
  guest (50)       (private ip range 2)  
  outside (0)      (internet)
  Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
  What’s the best practice way to achieve this?

  Hi,
  The "security-level" alone is ok when you have a very simple setup.
  I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
  If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
  Create and "object-group" containing all of the other network
  Create an ACL for the "inside" interface
  First block all traffic to other networks using the "object-group" created
  After this allow all rest of the traffic
  In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
  For example a situation where you have interfaces and networks
  WAN
  LAN-1 = 10.10.10.0/24
  LAN-2 = 10.10.20.0/24
  DMZ = 192.168.10.0/24
  GUEST = 192.168.100.0/24
  You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
  object-group network BLOCKED-NETWORKS
  network-object 10.10.20.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.100.0 255.255.255.0
  access-list LAN-1-IN remark Block Traffic to Other Local Networks
  access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-1-IN remark Allow All Other Traffic
  access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
  This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
  Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
  object-group network BLOCKED-NETWORKS
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.100.0 255.255.255.0
  access-list LAN-1-IN remark Block Traffic to Other Local Networks
  access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-1-IN remark Allow All Other Traffic
  access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
  access-list LAN-2-IN remark Block Traffic to Other Local Networks
  access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-2-IN remark Allow All Other Traffic
  access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
  access-list DMZ-IN remark Block Traffic to Other Local Networks
  access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
  access-list DMZ-IN remark Allow All Other Traffic
  access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
  access-list GUEST-IN remark Block Traffic to Other Local Networks
  access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
  access-list GUEST-IN remark Allow All Other Traffic
  access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
  Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
  Hope this helps
  - Jouni

• How can I permit all traffic from inside-dmz-outside on asa5505

  Scenario :
  Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
  Router LAN IP: 83.111.X.X - 255.255.255.X
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.X.X 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 83.111.X.X 255.255.255.240
  interface Vlan3
  nameif dmz
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  switchport access vlan 3
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 83.111.x.x
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.254 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
  : end

  Hi Ben,
  Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case? 
  What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
  All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI.  Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
  I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
  Thanks again for the suggestion,
  Frank 
  Attachments:
  Front Panel Reference.vi ‏33 KB

• RDP from inside to outside using PAT?

  I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT.  Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance

  Hello Sandeep,
  In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
  Hope it helps
  Harish.

• How to allow ping from inside to outside in 2900 router?

  Hi,
  I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
  "Unrecognized host or address, or protocol not running"
  any help will be appreciated.
  Thank you

  Hi jcarvaja
  here is the used configuration:
  Building configuration...
  Current configuration : 5584 bytes
  ! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
  version 15.1
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  no service password-encryption
  service udp-small-servers
  service tcp-small-servers
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  no logging buffered
  no logging console
  enable secret 5
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip gratuitous-arps
  ip icmp rate-limit unreachable 1
  ip cef
  ip name-server 163.121.128.134
  ip name-server 163.121.128.135
  ip port-map user-custom-fleet port tcp 2000 list 1
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-324261422
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-324261422
  revocation-check none
  crypto pki certificate chain TP-self-signed-324261422
  certificate self-signed 01
    30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
    375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
    34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
    61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
    14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
    2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
    02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
    23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
    1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
    4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
    B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
    B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
    F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
    4901248C 95B61A0B 3ED5B26A EF
        quit
  license udi pid CISCO2901/K9 sn FCZ1526C3JL
  object-group service Outside-Reply
  icmp echo-reply
  username admin privilege 15 secret 5
  redundancy
  ip finger
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any Deny_ALL
  match access-group name dwdwd
  class-map type inspect match-any Inside-Outside
  match protocol http
  match protocol https
  match protocol dns
  class-map type inspect match-any ICMP_RQST
  match protocol icmp
  policy-map type inspect Inside-Outside
  class type inspect Inside-Outside
    inspect
  class class-default
    drop
  policy-map type inspect Self_to_Outside
  class type inspect ICMP_RQST
    inspect
  class class-default
    drop
  policy-map type inspect Outside_to_Self
  class type inspect Deny_ALL
    pass log
  class class-default
    drop
  zone security IN
  zone security OUT
  zone-pair security Self_to_Outside source self destination OUT
  service-policy type inspect Self_to_Outside
  zone-pair security Outside_to_Self source OUT destination self
  service-policy type inspect Outside_to_Self
  zone-pair security Inside-Outside source IN destination OUT
  service-policy type inspect Inside-Outside
  interface GigabitEthernet0/0
  ip address 101.101.100.245 255.255.255.0
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description $FW_INSIDE$
  ip address 49.31.152.80 255.255.255.248
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  zone-member security IN
  duplex auto
  speed auto
  interface Serial0/0/0
  no ip address
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  encapsulation frame-relay IETF
  no fair-queue
  frame-relay lmi-type q933a
  interface Serial0/0/0.16 point-to-point
  description $FW_OUTSIDE$
  ip address 172.17.18.122 255.255.255.252
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  ip verify unicast reverse-path
  zone-member security OUT
  frame-relay interface-dlci 16  
  interface Serial0/0/1
  no ip address
  ip mask-reply
  ip directed-broadcast
  ip flow ingress
  shutdown
  clock rate 2000000
  ip forward-protocol nd
  ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
  ip identd
  ip access-list extended ICMP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended deeef
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended dwdwd
  remark CCP_ACL Category=1
  permit object-group Outside-Reply any any
  access-list 1 remark CCP_ACL Category=1
  access-list 1 permit 196.219.234.77
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 101.101.100.0 0.0.0.255
  access-list 2 permit 10.20.10.0 0.0.1.255
  no cdp run
  control-plane
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  login local
  transport input all
  line vty 5 15
  login local
  transport input all
  scheduler allocate 20000 1000
  end

• No internet access from WRT54G router -see details please-

  I have a westell 6100 modem with Verizon high speed internet.
  I was given these instructions for my modem by Verizon for the router to work and it still doesn't. what do I need to do?
  3. Click on Network Connections in the left navigation menu.
  4. Click on Broadband Connection (DSL) to continue to the Broadband Connection.
  5. Locate the VPI VCI of 0 & 35 under VCs and click the Edit icon.
  6. Verify that the VC Status is Enabled and that the VPI & VCI are 0 and 35 respectively.
  7. Change the Protocol drop down menu to Bridge then change the Bridge Mode: drop down menu to Bridge and click Apply.
  8. Select OK to allow the modem to reset and apply the new changes.
  9. Click on My Network in the top navigation bar.
  10. Click on Network Connections.
  11. Click on LAN.
  12. Remove the check mark from the Private LAN DHCP Server Enable field.
  13. Verify that the Private LAN is now off and click on Apply. 
  windows 7
  I can connect to "linksys" as a wireless network, but get no internet access. Please help! Thank you!

  The settings that you provided is for the modem so I suppose you can able to go online with modem… Please let me know the IP address that you receiving from the modem… Since the connection that you have is DSL connection and if you are receiving the IP address from the modem under LAN (Local Area Connection) is a Private IP address (192.168.X.X) then follow the steps:
  # Connect the modem with the Linksys Router WRT54G on the Internet Port and then connect the Computer on any of the Ethernet Port on the Router (Numbered – 1, 2, 3 and 4)…
  # Open up the browser and on the address bar type 192.168.1.1 that will open up the Router setup page…
  # Look for the Local IP Address and change it to 192.168.2.1 …
  # Click Save Settings...
  # Then Click on wireless Tab create the Wireless Network Name SSID and select the channel to 6, 9, and 11… Click Save Settings...
  # Then Click on Wireless Security sub tab and select the security mode and provide the password as per the requirement… Click Save Settings...
  # Click on Status Tab on the Router Setup page check if Internet IP Address has numbers or values. If the Internet IP Address has numbers, the computer should now be able to access the Internet. If the IP address is all zeroes (0.0.0.0) click "IP Address Release" first then click "IP Address Renew".  If the IP address is still all zeroes, enable PPPoE on the router.
  To enable PPPoE on the router you should have a username and password provided by the ISP (Internet Service Provider) and follow the steps...
  # Under the Setup tab, set the Internet Connection Type to PPPoE…
  # Enter the Username and Password that your ISP provided, including the domain in the User Name field if necessary…
  # Click Save Settings...
  # Then Click on wireless Tab create the Wireless Network Name SSID and select the channel to 6, 9, and 11… Click Save Settings...
  # Then Click on Wireless Security sub tab and select the security mode and provide the password as per the requirement… Click Save Settings...
  # Click the Status tab then look for Login Status and check if it says Connected.  If it’s connected, you should be able to access the Internet.
  After doing the following settings then connect the wireless computer the preferred Network… Once it gets connected you will be online wirelessly as well…

• Time Capsule - how to gain "over-the-internet" access from Windows 7!

  Hi guys,
  I've been fighting for such a long time with my Time Capsule. I have no idea how to gain access "over-the-internet" on a PC (Windows 7) which is running on  another network. My Time Capsule is set up with my Macbook Pro at home running Lion OSX, and i have internet connection. My brother who also uses Macbook has no problems connecting to my Time Capsule - through finder (connect to a server). But how do I gain "over-the-internet" access to my Time Capsule through a PC (Windows 7) from my office? Is there please someone who can guide me step-by-step, how to gain connection to my TC through a PC? Or maybe just an explantaion what has to be done on the PC before this thing can work out! This was the main reason to why i bought Time Capsule - besides of the Time Machine function. I also have an iCloud account (earlier Mobile Me), if that makes any difference.
  Thanks!

  There is no way to do it from windows direct to the TC.
  It only presents AFP to the WAN side. And most ISP block SMB from internet access due to risks. There is AFAIK, no suitable AFP protocol utility for windows at the moment. If you google and find one, be aware it probably will not work to your satisfaction anyway.
  You must use a Mac to access AFP but even then it is not a secure protocol and I would recommend against it anyway.
  So basically if you had have asked before purchasing, I would have said, TC is unsuitable product. It is a backup drive for a Mac. It is not a NAS.. it is not designed for remote access by any computer other than a Mac. It does not support any other file protocol to the WAN interface.. and no secure protocol even there.
  A NAS with Time Machine extensions from QNAP, Synology, Netgear all are designed for web access and are far more suitable. Researching a purchase beforehand is always worthwhile.
  Anyway, your choices are.. return the TC and buy something more suited to the job.
  Or if return is now impossible sell the TC on ebay.. etc and do the same thing.. buy a more suitable NAS.
  Or buy a cheap mac mini (even second hand) and use that for communications with home.
  Or, replace your current router with something that includes vpn. This is actually a good and commercially sound decision. VPN is generally used by business to connect to remote locations, because it is secure and will allow the greatest flexibility of connection. How hard or easy depends on the current setup. I would recommend a combined modem router with vpn server if you have adsl. Or for cable you can find plenty of routers with combined vpn. You can also use those for adsl if your ISP allows pppoe with bridged modem. The TC will have to be bridged as well. For other broadband it might be harder to find the right kind of box.
  Once you setup a vpn you can access it from work using the appropiate vpn client in your work computer.

• No internet access from my airport

       Hi there,
  I have a problem with my two airport express. I'll explain first my config
  I have one Router  (from the internet provider so not apple) connected to an ADSL line with ethernet hardwired Conections to both Airport express.
  the to AE have the same name (SSID) and password and are configured as Create a new Network. this allow me not only to extend my Network reach but also to use the jack conections in 2 different rooms for 2 difrerent Hifi systems for the airplay feature. they are in bridge mode.
  the Router from my Internet provider as a different SSID on purpose because I don't want my computer to connect to that one when I'm closer to it since I always had more transmission problems with the airplay when connected to a non apple Router. the sound is often cut while with the AE it always flows better.
  the problem is that the airplay works but the internet connection is very bad, I mean it last minutes to open a page,  and if I want to surf from my computer I have to choose the other SSID and then no problem.
  when I open the airport utility I can see that sometimes it's all green but the internet switch constantly from green to yelow.
  I'm just in the process of changing my internet provider which means that I actually have in this moment 2 internet connections and 2 routers from 2 diff providers and therefore have made the test with boths of them with the same result.
  that's it. Any idea?
  thanks in advance

  Hi,
  this is getting worse. as I was unable to solve the problem I decided to start from scratch and therefore I have reset to default values my 2 Airports.
  then in my airport utility I only have the Internet access, the earth globe, and it's green, so I can surf the web by connecting to the SSID of the router of my internet provider.
  then I plug into the power one airport. It appears in the left-hand upper corner of the Airport utility. I click on it ( at that moment my wifi is not anymore to the Internet router but to the airport itself) and follow the steps to configure it.
  it say that it will be configured to create a network so I give him same SSID and pwd as the one from the OLO provider, it tells me to connect the cable to the Router, i do it and it goes to the next step where it asks me to switch off for few minutes the internet router and switch it on again. I do it and after a while it says that an error occured while confiring the airport.
  At that moment I loose access to my airport, I does not appear neither on the Wifi panel as its MAC address (or whatever the hexa number is) nor within the airport utility as an airport connected to my internet router.
  so the only way left to get back to it is to reset it again.
  I did this process with the 2 airports, and met the same problem so I guess I'm doing something wrong.
  where is my mistake ?
  thanks in advance.

• Securely Access Exchange Server 2007 through ASA 5510 using Outlook

  Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)?  OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?  Any help is much appreciated!
  ~John

  Hi John,
  For that scenario, a remote access VPN is probably the best way to go (either the traditional IPSec client or SSL VPN/AnyConnect). This config guide lists your options on the ASA:
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
  -Mike

• Mi424wr-gen3I no internet access from secondary subnet / router

  All,
  I am looking to provide internet access to my internal LAN / WLAN devices on another router.  I have configured my second router to connect to the 192.168.1.0/24 network on the mi424wr LAN. 
  Static routes: 192.168.2.0/24  next hop 192.168.1.254 (secondary router interface connected to m1424wr LAN)
  Firewall policy filter: Network Home  Inbound and outbound allow access sourced and destined to both subnets.
  I have layer 3 conectivity between the routers but I am not able to browse the internet from secondary router 192.168.2.0 network. My default router on the 192.168.2.0/24 is the 192.168.1.1 router.
  I tried to modifiy the DNS setting for devices on the 192.168.2.0 net but nothing works.  Used 192.168.1.1 (mi424wr interface which the setting for the 192.168.1.0 net devices. Even tried using verizon's DNS server 68.237.161.12 but no internet access.  The mi424wr does have a dns server setting which I tried to statically add 192.168.2.x host but that did not work. 
  So I am not sure if the mi424wr DNS server is not allowing any other subnets beside the 192.168.1.0/24 to access its DNS services or some other policy is needed to be created.  My secondary router is not NATing and at a loss.
  Tried to research other methods of using my secondary router to connect to internet with the mi424wr-gen3I but nothing seems worth trying.  Setting the mi424wr-gen3I to bridge mode would be an option but have not seen any configuration for the REV I router vesion.  My last setup worked in bridge mode and STB were functional but VOD was always very choppy.  Seem there are some QoS setting the mi424wrI has configure to improve traffic priority for video.
  Any assistance appreciated. 
  Rich

  As STX said.  All you need to do is to connect an ethernet cable from a lan port of the Verizon router to the wan port of your own router.  Your own router needs to be configured with an address on the 192.168.1 subnet, either dhcp or static, yours is you say at 192.168.1.254 as is mine.  Then you should have configured the dhcp side of your router with a subnet other than 192.168.1 which apparently you have done.  You do not need static routes or anything else for devices on the 192.168.2 subnet to access the internet, other than valid DNS server addresses - did you set valid dns servers addresses in the static ip internet connection on your router?  You could set it to 192.168.1.1 and pick up whatever dns the vz router is using or you could set it dns servers of your choice, personally I set mine to opeDNS server addresses.
  What kind of router is the second router?
  Your description of your setup sound OK and the only difference I see between your setup and mine is that you say your second router is not NATing